Welcome to OnPolicy, your regular briefing on key global policy updates from the world of digital identity, AI, and data privacy.
ICO guidance on AI and data protection: The ICO has updated its Guidance on AI and Data Protection after industry requests to clarify requirements for fairness in AI. New chapters have been added on how to ensure transparency, lawfulness and fairness in AI. As part of this the ICO has clarified data protection fairness considerations across the “AI lifecycle, from problem formulation to decommissioning.” This update supports the Government’s vision of a pro-innovation approach to AI regulation and more specifically its intention to embed considerations of fairness into AI.
Data Protection: the Government re-introduced the Data Protection and Digital Information Bill to Parliament. The reforms are intended to address the shortcomings of the EU’s GDPR, which was transposed into UK domestic law through the Data Protection Act 2018. The overall aim is to simplify the UK’s data protection framework with a view to reducing burdens on organizations and encouraging innovation while maintaining high data protection standards. Key changes include the inclusion of scientific research carried out as a commercial activity, a non-exhaustive list of activities that may be regarded as “legitimate interests” and provisions to enable businesses to continue using existing cross-border data transfer mechanisms. The Bill will now begin its legislative process through Parliament.
AI Act: We are continuing to see movement on the AI law, this time with the EU Parliament’s negotiations. Key developments include clear exclusions for verification and authentication from the definition of “remote biometric identification system”, and a new definition of “biometric verification system.” As things stand, it appears that MEPs have not yet taken a decision as to the risk categorisation for biometric verification systems. Open source AI has also been excluded from scope of the AI Act, with MEPs clarifying that Free and Open Source AI systems will be exempted except in specified circumstances. Still lots of work to be done to reach a final position on this complex and important legislation.
EU digital identity: The EU has issued its framework architecture for digital ID wallets. The document lays out specifications and requirements needed to develop an interoperable European Digital Identity (EUDI) Wallet Solution such as user attributes, logs, and interfaces, and presents a state-of-play of ongoing work of the eIDAS Expert Group. It is important to note that this document is a draft of the technical architecture and is not legally enforceable. In fact, it is subject to change once the legislative negotiations on the eIDAS proposal are finalized.
Digital identity is critical infrastructure: The White House released its National Cybersecurity Strategy, which designated digital identity as critical infrastructure for the first time. This is a welcome acknowledgement of the challenges and the need to get this right - which will require the private sector and public sector to work together. The report noted:
“Today, the lack of secure, privacy-preserving, consent-based digital identity solutions allows fraud to flourish, perpetuates exclusion and inequity, and adds inefficiency to our financial activities and daily life. Identity theft is on the rise, with data breaches impacting nearly 300 million victims in 2021 and malicious actors fraudulently obtaining billions of dollars in COVID-19 pandemic relief funds intended for small businesses and individuals in need. This malicious activity affects us all, creating significant losses for businesses and producing harmful impacts on public benefit programs and those Americans who use them. Operating independently, neither the private nor public sectors have been able to solve this problem.”
Future Direction of Login.gov: Login.gov is the US federal government’s single-sign-on solution for government websites. Recently, the General Services Administration (GSA) Inspector General (IG) released a report that found GSA officials misled other federal agencies about whether Login.gov met digital identity standards (full IG report here). Given the Biden Administration's pandemic anti-fraud proposal and rumored plans to expand Login.gov access to state and local governments, keep an eye on Congress to see how they approach this following the hearing in the Oversight and Accountability Committee on March 29. Jeremy Grant has a thoughtful op-ed on the topic that’s worth a read here.
House Republicans crypto focus: The House Financial Services Committee Republicans are working on comprehensive crypto regulation legislation. They are spending March and April in listening sessions with stakeholders and considering legislative proposals.
CFPB looking into data brokers: The Consumer Financial Protection Bureau (CFPB) released a RFI on data brokers (comments due June 13, 2023). According to the CFPB’s press release, the agency “seeks information about business practices employed in the market today to inform the CFPB’s efforts to administer the law, including planned rule-making under the FCRA.”
Iowa makes 6 - Iowa became the sixth state with a data privacy law, with the Governor’s signature on March 28.